Security & exposure
Your Site Returns 200 OK. Your .env File Is Public.
A 200 OK says nothing about whether your .env file is public or your domain can be spoofed. Sitewatch checks the exposures attackers look for first — publicly downloadable secrets, forgotten staging sites, and missing email authentication — and re-checks on a schedule once you turn the scan into monitoring, so a hole that opens after a deploy still gets caught.
- Finds publicly downloadable .env, .git, and config backups
- Flags forgotten live staging sites serving your real app
- Checks SPF, DMARC, and DKIM — tells you if your domain is spoofable
- Monitoring re-checks every site — a hole that reopens after a deploy is caught
Free scan
Scan your site for exposures — free
Enter a URL and we check for publicly downloadable files, indexable staging, and a spoofable domain. Results in under a minute, no signup. Any secret we find is masked in the report.
The exposures uptime monitors miss
If we can find it, so can anyone.
Exposed secrets & source code
CriticalA publicly downloadable .env, an exposed .git folder, a database or config backup, a stray .DS_Store — each one hands an attacker credentials or your source. Present-tense, not a theoretical risk: if the scan reached it, so can anyone.
Forgotten live staging
CriticalA dev or staging subdomain serving your real app, indexable by Google. It can leak unreleased work, expose data behind weaker auth, and outrank production in search.
A spoofable domain
CriticalMissing SPF, a DMARC policy of p=none, or a DKIM key that vanished — any of these lets someone send phishing email as your domain today. We tell you which, and the exact record to publish.
A hole that reopens
ModerateA leak you fixed comes back after a deploy, or a protective DNS record gets dropped. Because we re-check on a schedule, the regression is caught the next time it happens — not months later.
Free to find, paid to watch
Find it once, then never stop watching
Scan finds what's exposed now
The free scan reads only what's already publicly reachable — the same paths any visitor or search engine can request — and reports what it found, present-tense.
Responsible by design
We check a fixed list of known paths. No fuzzing, no brute-forcing, no guessing — and any secret we surface is masked in the report.
Monitoring catches the regression
Turn it into continuous monitoring and Sitewatch re-checks on a schedule and after every deploy — so a leak that comes back, or a DMARC record that gets dropped, is caught the next time it happens.
Why uptime tools miss this
An exposed .env returns 200 like any other URL
| Feature | Uptime monitors | Sitewatch |
|---|---|---|
| Exposed .env / .git / backups | Not checked — a 200 looks healthy | Detected, with the exact path |
| Indexable live staging | Not checked | Flagged before it outranks production |
| Email spoofability (SPF/DMARC/DKIM) | Not checked | Checked, with the record to publish |
| Continuous re-checking | Re-checks uptime, not exposures | Re-checks exposures on a schedule and after deploys |
| Alerts when a hole reopens | No | Yes — drift detection with evidence |
Exposed .env / .git / backups
Indexable live staging
Email spoofability (SPF/DMARC/DKIM)
Continuous re-checking
Alerts when a hole reopens
Two layers, checked together
Exactly what Sitewatch inspects
Exposed surface
- Environment files — /.env and common variants holding secrets and API keys
- Version control — exposed /.git internals that reconstruct your source
- Backups — publicly reachable database and config backup files
- Stray files — .DS_Store and other artifacts that map your directory structure
- Live staging — dev/staging environments that are reachable and search-indexable
Email authentication (anti-spoofing)
- SPF — present and valid, so receivers can verify who may send for you
- DMARC — published and enforcing (not left at p=none, which protects nothing)
- DKIM — signing key present, and flagged if it later disappears
- The fix — the exact record to publish, in plain language, for each gap found
Why this matters
Exposed files and email spoofing, explained
Most monitoring tells you a site is up. It can be up and still be leaking. A web server returns a 200 OK for a public /.env file exactly as it does for your homepage — so an uptime monitor, which only reads the status code, has no idea anything is wrong. The file is there for anyone who requests the URL.
Exposed files and forgotten staging
The exposures attackers probe for first are mundane: an .env file with database credentials and API keys, an exposed /.git directory that lets someone reconstruct your source, a database.sql backup left in the web root, or a staging subdomain that was never locked down and is now indexed by Google. None of these throw an error. Sitewatch checks a fixed allowlist of these known-risky paths on every scan, reports the ones that are publicly reachable, and masks any secret it surfaces. Pair it with security header monitoring and SSL monitoring for the full external-security picture.
Can someone send email as your domain?
If your domain has no SPF record, a DMARC policy set to p=none, or a missing DKIM key, anyone can send phishing email that appears to come from you — and your clients' inboxes are the ones that receive it. Sitewatch reads all three records, tells you in plain language whether your domain is spoofable, and gives you the exact record to publish to close the gap. Because it re-checks continuously, it also catches the case that one-off checkers can't: a protective record that quietly disappears after a DNS change.
How this compares to security scanners and one-off checkers
Dedicated tools exist for parts of this. One-off web checkers like MXToolbox or Hardenize will tell you your SPF/DMARC status at a single moment, but they don't monitor it or alert you when it degrades. Enterprise scanners like Detectify do look for exposed .env and .git files — but at roughly ten times the price, point-in-time, with enterprise onboarding, and not built for an agency watching many client sites. Sitewatch's angle is the combination: continuous, alerting, affordable, and agency-shaped — the exposure and email-trust checks bundled into the same monitoring that watches whether your pages work. Run the free scan to see what's exposed right now.
Exposure & email trust FAQ
If your domain is missing an SPF record, has a DMARC policy of p=none, or has lost its DKIM key, then yes — someone can send phishing email that appears to come from your domain. Sitewatch checks all three records and tells you whether your domain is spoofable, plus the exact record to publish to stop it. Run the free scan to find out in under a minute.
A .env file holds environment variables — often database passwords, API keys, and secret tokens. It's meant to stay on the server, never served to the public. When it's left in the web root, anyone who requests yoursite.com/.env can download it and read your credentials. The server returns a normal 200 OK, so uptime monitors never flag it. Sitewatch checks for it directly.
Yes. The scan only requests paths that are already publicly reachable — the same things any visitor or search engine can request. It checks a fixed list of known-risky paths, never fuzzes or brute-forces, and masks any secret it finds in the report. It's a read-only external check with no impact on your site.
An uptime monitor reads your server's status code. A public .env file, an exposed .git folder, and an indexable staging site all return 200 OK — so uptime monitoring reports them as healthy. Sitewatch checks the content and configuration behind the status code, which is the only way these exposures surface.
Enterprise scanners like Detectify do detect exposed .env and .git files, but they're priced for enterprise, run point-in-time, and aren't built around watching many client sites. Sitewatch bundles continuous, alerting exposure and email-trust checks into affordable, agency-shaped monitoring — so it's less a deep one-time pentest and more an always-on watch for the regressions that reopen after a deploy.
It reads your domain's SPF, DMARC, and DKIM DNS records. It flags a missing SPF record, a DMARC policy that isn't enforcing (p=none), and a missing or disappeared DKIM key. For each gap, it gives you the specific record to publish. With continuous monitoring, it also alerts you if one of those protective records is later removed.
Explore more
Related monitoring
Free Website Scan
Run a full free scan — exposures, email trust, previews, and conversion paths.
Security Monitoring
Security headers and mixed-content checks on every page.
SSL Certificate Monitoring
Catch an expiring cert or broken chain before visitors do.
DNS Monitoring
Get alerted when MX, CNAME, or other DNS records change unexpectedly.
For Agencies
Watch exposure and email trust across every client site.
Find out what your site is exposing.
The free scan takes about 30 seconds and needs no account — run it on your own sites or a prospect's to see what's exposed. Turn it into continuous monitoring to catch the holes that reopen.